General

  • Target

    REQUEST FOR QUOTE.exe

  • Size

    891KB

  • Sample

    230705-eksltsca2y

  • MD5

    164a1a27b7b433966e4baacfd59353cc

  • SHA1

    7d1593f5ccecd3b714b47cce75b66d477b2a6025

  • SHA256

    9e375d13756195da6c9c580e435042ff8105ef2c2e83b0270d98f3fc387e6ce8

  • SHA512

    0a5df388544611698fe7398ee1227e4f8c25b772fc041acdc5e9f35866efd48f268519d8089f9b0b1c4fdeee54d01b719d1c839ac3194d80f479f9d4f03f9a20

  • SSDEEP

    12288:/Lk70TnvjcJU26d4PjQGeEBO7QMPTzAwO7DiXH8EjLvQcVnHYe0ScK1hk:zk70TrcJUL/GeEBO7QMyDMHnvGBSpc

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5627356603:AAG-Mx0TbSHRRW6IwndrpX3VLZdhd6C-Zac/sendMessage?chat_id=5472437377

Targets

    • Target

      REQUEST FOR QUOTE.exe

    • Size

      891KB

    • MD5

      164a1a27b7b433966e4baacfd59353cc

    • SHA1

      7d1593f5ccecd3b714b47cce75b66d477b2a6025

    • SHA256

      9e375d13756195da6c9c580e435042ff8105ef2c2e83b0270d98f3fc387e6ce8

    • SHA512

      0a5df388544611698fe7398ee1227e4f8c25b772fc041acdc5e9f35866efd48f268519d8089f9b0b1c4fdeee54d01b719d1c839ac3194d80f479f9d4f03f9a20

    • SSDEEP

      12288:/Lk70TnvjcJU26d4PjQGeEBO7QMPTzAwO7DiXH8EjLvQcVnHYe0ScK1hk:zk70TrcJUL/GeEBO7QMyDMHnvGBSpc

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks